Junos Pulse gives security warning for RapidSSL certificate

I installed a commercial certificate from RapidSSL and associated it with the external cluster address. Firefox is happy. But when I connect with Junos Pulse, it gives a security alert saying that the site is untrusted.

I can make the warning go away by installing the RapidSSL certificate in the Java keystore on the client, in addition to the preinstalled Global Trust CA parent certificate.

This isn't a good solution forexternal users. Is this a known problem with Oracle Java, that I need to get a non-chained certificate instead ?

Re: Junos Pulse gives security warning for RapidSSL certificate

No, that is a different issue, where the client is using a certificate for authentication.

The issue I have is "cosmetic" only - the user can click "always trust this certificate". As a security officer I deprecate that, and besides, it's annoying to have paid for a commercial certificate that offers no advanatage over a free one from our own CA.

Re: Junos Pulse gives security warning for RapidSSL certificate

It sounds like the intermediate files were not installed correctly on the web server. Since Firefox has a separate certificate store, it may be possible the intermediate already exist or could be validating a different chain which is missing from the Windows certificate store.

Could you provide the url where the ssl certificate is installed? I can run a few tests.

Re: Junos Pulse gives security warning for RapidSSL certificate

I generated a CSR on the MAG, then sent that to RapidSSL. They provided a certificate, which I imported into the MAG (which is a webserver now with a key and a certificate).

In both Firefox and Java on the client computer, the Global Trust CA root certificate is installed by default as a trusted authority. In Firefox, that is sufficient to validate the MAG webserver. In Junos Pulse, using the Java SSL library, it is not. I have to manually install, on each client system, the intermediate RapidSSL certificate into the Java keystore.

If you mean can I give you the URL to our MAG appliance, yes, but I would rather not do so on a public forum.

Is there a private message ability in these forums ? Else I'll just give my email.

Re: Junos Pulse gives security warning for RapidSSL certificate

I believe that is the step you are missing then. You need to install the intermediate ca to the SA or MAG after installing the ssl certificate you received from RapidSSL. If they are missing from the SA, it will assume the browser has all of the certificate needed to validate the certificate chain.

If you click on the mail icon at the top, you can compose an email to me or you can send it directly to kkitajima@juniper.net.